This blog was written by a guest blogger.
Cybercriminals never sleep. Why? They're too busy looking for application vulnerabilities. In the world of cybercrime, a flawed application is a potential goldmine for them, but an onramp to disaster for most organizations.
A vulnerable state
The threat landscape has increased at a frightening speed. We've moved beyond merely dealing with basic threats to countering highly advanced and persistent attacks.
But how bad are things, really?
In an ideal world, following cybersecurity best practices, we find out that there is a vulnerability in the software we use or develop. We promptly apply a patch or remediate the issue, and the problem goes away.
In the real world, over 63% of all reported unpatched vulnerabilities are at least two years old. Some even date back to 2002.
Why is this? Why do so many organizations put themselves and their customers at risk by neglecting longstanding and known flaws?
Put simply; it's hard to stay on top of remediation. It takes enough time, money, and skilled resources to get the job done.
And it shows. On July 28, 2021, together the U.S. Cybersecurity and Infrastructure
Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National
Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) all issued a joint advisory on the world’s top routinely exploited vulnerabilities. The key point being that
“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide…”
Yet, remediating known vulnerabilities remains one of the biggest challenges for organizations, with Bitdefender’s business telemetry revealing:
- 60% of breach victims in 2019 report that they were attacked through unpatched vulnerabilities.
- 62% didn't even know they were vulnerable until after the breach, and
- 52% were using manual patching procedures.
Developers are no longer your first line of defense
Frighteningly, Gartner says that 99% of vulnerabilities exploited will continue to be ones organizations know about, but have not yet addressed at the time of the incident. So, why are remediation times so slow?
Fixing vulnerabilities is time-consuming and expensive, so as a result often gets delayed, deprioritized, or even ignored. Why? Factors impacting remediation range from a lack of resources, to challenging environments with inconsistent DevSecOps practices, to haphazard scanning frequency and security testing. Development teams are often consumed by their most pressing projects, and so are short on the resources needed to address flaws that haven't (yet) caused a problem, or aren't spending adequate time on the legacy applications. The traditional reliance on developers to remediate application vulnerabilities is no longer viable.
In short, they have too much to do, and not enough time or specialist security skills to do it.
Introducing Web Application Shielding
In responding to this market need, AT&T has added another layer of capability to their highly-regarded Managed Vulnerability Program (MVP) – Web Application Shielding.
How does Web Application Shielding work?
Shields are code designed to fix otherwise exploitable vulnerabilities in applications. The shields modify and transform requests and responses in the traffic flow, making the vulnerabilities undiscoverable, or nullify the associated exploits. And best of all, as shields are deployed on an edge compute platform in front of your application, vulnerabilities are remediated without touching your underlying application code. In fact, access to the code isn't even required, so shields can work for third-party applications, frameworks, and hosting platforms.
What does this mean for AT&T MVP customers?
The power of Web Application Shielding is that it gives you room to breathe. As an AT&T MVP customer, you can now rapidly remove vulnerability risk across all your web applications – whether they are legacy, third-party, or custom built.
For example, if a third-party or vendor patch isn't available, it’s now no longer a problem—you can just shield it. If a component or platform upgrade is the only way to address a vulnerability (due to an outdated application no longer serviced by security patches) and it's too expensive or disruptive to upgrade, shield it. And if you require internal customer development resources or external vendors to deliver a fix, which could divert resources away from revenue-generating activities – now you’ve got the solution - shield it.
Three examples of how Web Application Shielding can save the day
- Compromised accounts due to password reuse, credential stuffing attacks, and compromised email accounts remain major problems globally. Many organizations – especially those with older applications or limited development resources – struggle to implement multi-factor authentication (MFA) due to time, cost, or technical constraints. With AT&T MVP Web Application Shielding, organizations can now implement MFA across applications within days, using SMS-based or Time-based One Time Password (TOTP) shields. These shields can be implemented without touching application code, and without impacting legitimate users’ experience.
- A government health organization discovered a major security flaw during a standard penetration test on a critical web application. Resolving it without a major disruption to services seemed impossible, and there were no other feasible (or commercially viable) options. Web Application Shielding came to the rescue with an affordable customized application stateful logic shield to address the flaw – developed and deployed in just one week.
- A leading browser-based and mobile payment processing solution provider of PCI -compliant technology was at risk of losing their accreditation when routine penetration testing uncovered over 100 critical issues. After a year of 'expert' help and significant cost, the number of issues impacting the organization's industry compliance increased by 20%. Web Application Shielding was deployed and within 72 hours repaired 20 of the 22 penetration test findings, and then went on to solve all the issues successfully. This helped the payment processor pass its PCI audit without any issues.
For more information on how Web Application Shielding works in the AT&T Managed Vulnerability Program, download the product brief to learn more.